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ABSTRACT 


The hazards associated with the critical flight phases of 
civil as well as military flight operations can seriously 
degrade pilot efficiency, and therefore aircraft 
survivability, if the number or complexity of tasks that the 
pilot must manage exceeds his/her capabilities. This thesis 
explores the feasibility of applying artificial intelligence 
(AI) research to the construction of a Survivability Manager 
(SM) knowledge based system (KBS) that will assist the pilot 
by assuming a portion of the survivability task management 
load. The application of KBS principles to survivability 
management is illustrated using the normal and emergency 
management procedures for a hypothetical engine fuel supply 
system as a working example. Though the SM is not a reality 
today, there is considerable research in both AI and 
survivability enhancement studies to draw upon. It is 
recommended that a prototype be developed using currently 
available assets to further investigate the feasibility of 


the Survivability Manager. 
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I. INTRODUCTION 


This thesis is concerned with the feasibility of using 
artificial intelligence to assist the pilot in the management 
of aircraft survivability design features and equipment. 
Specifically, the intent is to propose the development of a 
Survivability Manager, capable of partially or fully 
autonomous control, for both civil and military aircraft. In 
order to make the following discussion meaningful, several 
terms must first be (re)defined. 

The aircraft combat survivability discipline has 
developed a vocabulary based upon a man-made hostile 
environment. Those familiar with this field will find that 
several of these terms have been broadened in context here to 
include their application to civil aircraft. Aircraft combat 
Survivability is defined as “the capability of an aircraft to 
avoid and/or withstand a man-made hostile environment’ 
[Ref.1: p. 1]. If the term survivability is expanded to 
include flight safety in general, it could be defined as the 
capability of an aircraft to avoid and/or withstand a 
hazardous situation. Similarly, susceptibility is now 
interpreted as the inability of an aircraft to avoid a 
hazardous situation, and vulnerability as the inability of an 
aircraft to withstand a hazardous situation. A hazardous 


Situation is one or more adverse conditions that, by design 


or by chance, have the potential to degrade flight 
performance. Flight performance degradation is measured by 
the extent to which components, designed to provide that 
performance, are functionally degraded. 

It is recommended that readers who are not familiar with 
survivability concepts review the glossary provided within 
this document. Those desiring a more detailed presentation on 


aircraft combat survivability are referred to Ball [Ref. 1}. 
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II. BACKGROUND : PROBLEM DEFINITION 


Since its early development, the aircraft has had to 
Operate under less than ideal circumstances. Even today’s 
super-sophisticated designs are subject to the ravages of 
defective workmanship, poor maintenance, bad weather, human 
error, in-flight obstacles, and other aircraft. Military 
aircraft must withstand man made hazards as well; hazards 
specifically designed for the destruction of aircraft. There 
are important distinctions between civil and military 
hazards, but the pilot’s primary responsibility in either 
case is to ensure that, in spite of any adverse conditions 
encountered, the flight is safely concluded. This chapter 
will explore the nature of these hazards, and provide some 
measure of the trained professional pilot’s ability to cope 


with them. 


A. CIVIL AIRCRAFT HAZARDS 

The general decline in the number of accidents per flight 
hour experienced by civil aircraft in the last decade is a 
direct result of the intensive training and sophisticated 
equipment currently available to pilots, air traffic 
controllers, and other support personnel. These impressive 
statistics notwithstanding, there is always room for 


improvement. Specifically, the relatively high proportion of 


LI 


mishaps resulting from human error still gives excellent 
incentive to take every conceivable effort to reduce them. 
An analysis of the hazards these aircraft encounter is the 
first step in any such effort. 

1. Mishap Statistics 

Each year the National Transportation Safety Board 

(NTSB) reports statistics concerning aviation related 
accidents that occur within its jurisdiction. The NTSB 
defines an accident as an occurence incident to flight in 
which: 

"ав а result of the operation of an aircraft, any 

person (occupant or nonoccupant) receives fatal or 

serious injury or any aircraft receives substantial 

damage.’ [{Ref. 2:p. 80] 

The NTSB’s latest synopsis covers the period from 1975 
through 1984 [{Ref. 3]. Although rates (number of accidents 
per 100,000 flight hours) and even numbers of accidents have 
generally fallen since 1978, there are still too many. The 
safest year in recent civil aviation history was 1984, yet 
there were 173 accidents involving revenue producing flight 
operations, resulting in 103 fatalities. Revenue producing 
operations include airlines, commuters, and on-demand air 
taxis. The statistics also reveal 2999 general aviation 
accidents in 1984, with 998 fatalities. General aviation 
operations refer to private, non-revenue producing, flying. 
The number and rate for this category are much higher, due, 


among other factors, to the enormous number of general 


О 


aviation aircraft. Unofficially, 1985 has already surpassed 
these figures, and is recognized as one of the worst years in 
recent civil aviation history [Ref. 4:p. 1]. 
2. Accident Causes/Factors 
In an effort to identify trends and significant 

problem areas, the NTSB reports all probable cause(s), as 
well as any related factors, for each accident. Factors are 
those elements of an accident that further explain or 
supplement the probable cause(s). These cause/factor 
elements may be grouped into three general categories: 

1) Environmental extreme. 

2) Material failure. 

3) Human error. 
Environmental extremes include micro-bursts, wind shear, 
turbulence, low visibility, hail, birds, and wet runways. 
Cyclic fatigue, brittle fracture, electrical malfunction, and 
fluid seal rupture are all examples of material failures. 
Human errors are procedural and judgemental errors on the 
part of the designer, manufacturer, pilot, air traffic 
controller, weather briefer, maintenance and service 
personnel, and any others directly or indirectly responsible 
for flight safety. Of all the causes/factors listed, pilot 
error is cited most often. 

3. Critical Flight Phases 
In reviewing accident statistics, it soon becomes 

apparent that there are operational flight phases which are 


more hazard intensive than others. 
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According to the NTSB [Ref. 2], the five general flight 
phases are: 
1) Static - aircraft immobile on deck, engines idle 


or secured. 
2) Taxi - to takeoff or from landing. 


3) Takeoff - run, abort, initial climbout. 

4) In Flight - climb to cruise, normal cruise, 
descent. 

5) Landing - approach, touchdown, roll out, missed 
approach. 


For the 1976-1981 period the NTSB reported that U. S. air 
carriers sustained 58% of their accidents while in the 
takeoff or landing phases. 
4. Hazards of Success 
The capabilities, availability, and popularity that 
the aircraft has gained in the past eighty years has made it 
indispensable to modern civilization. It is ironic that tms 
success has, in a sense, increased the opportunity for 
mishap. Aircraft have become bigger, faster, and more 
numerous, and each of these advantages has a corresponding 
disadvantage. 
a. Aircaft Size 
The first commercial flight service was in 1919, 
between London and Paris. The aircraft carried a maximum of 
four passengers. Today, ’jumbo jets’ carry up to five 
hundred passengers from New York to Tokyo, nonstop. These 
behemoths weigh over 400 tons and span almost 200 feet, wing 
tip to wing tip. That is too many people with too much 


inertia to expect favorable results in a mishap. 
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b. Flight Speed 
History’s first fatal accident in a powered 
aircraft occurred in 1908. Lieutenant Thomas Selfridge was 
killed as a result of a biplane crash, of which he was the 
passenger. The pilot was Orville Wright. The top speed of 
the craft was almost 45 miles per hour, apparently fast 
enough to kill. 

Today, supersonic transport (SST) air carriers cross the 
Atlantic at Mach two plus. More commonly, large subsonic 
transports cruise at about Mach point eight, which is roughly 
one thousand feet per second. The obvious hazard of an 
irresistible force meeting an immovable object is compounded 
by 1) the limited reaction time available to prevent it and 
Z) the possibility that the pilot is not even aware of the 
hazard. 

СО Traffic Density 

The number of IFR flights handled by the Federal 
Aviation Administration (FAA) Air Route Traffic Control 
Centers (ARTCC) has increased from 20.6 million in 1969 to 
31.6 million in 1984. The FAA forecasts the number to rise 
to 45.3 million in 1996 [Ref. 5:p. 1]. The total number of 
aircraft actually in the air is even greater, due to the VFR 
traffic that is not handled by the ARTCC. In 1984, the FAA 
recorded 42.9 million IFR flight hours, which reduces to an 
average of 4,897 IFR aircraft within U.S. airspace at all 


times. This means that the airways are getting more crowded, 
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en route delays will become more frequent and last longer, 


and the opportunities for collision will rise accordingly. 


B. MILITARY AIRCRAFT HAZARDS 

A major portion of military flight operations occurs in 
non-combat conditions, even in time of war. The previous 
discussion concerning civil aircraft hazards applies equally 
to military aircraft in these conditions. While in combat, 
the military pilot must also cope with a determined enemy 
effort to shoot him down. In this condition, the hazards 
can be of either external or internal origin. The external 
hazards are provided by the enemy air defense system, and the 
internal hazards are associated with task overload. 

1. Sophistication of Air Defense Systems 

The proliferation of air defense systems which have 

been developed to counter the threat of aggressor aircraft is 
an acknowledgement of the potential destructive power of 
these aircraft. With each gain in air power sophistication, 
there has been an effective countermeasure developed to 
neutralize it. Today, there are radar directed, high kinetic 
energy guns; long range guided surface-to-air and air-to-air 
СИР, and state-of-the-art high performance fighter 
interceptors, capable of engaging multiple targets 
Simultaneously. Still under development are directed energy 
weapons, using high power lasers and particle beams. The 


list is endless, and the combat pilot must have the means to 


16 


cope with these threats if he is expected to perform 
effectively and repeatedly. 
2. Sophistication of Aircraft 

Advances in technology, particularly in the last 
twenty-five years, have nurtured the development of aircraft 
capable of extremely complex operations under extraordinary 
environmental conditions at incredibly high speeds. This 
sophistication has brought two disturbing consequences. The 
first is the concurrent improvements in air defense system 
technology, discussed above. The second is the increasing 
probability that the pilot will encounter task overloading 
during critical flight phases, resulting ina fatal 
procedural oversight. The number of cockpit controls and 
displays has increased exponentially since the 1920s. The 
result is a ’data rich, information poor’ pilot, who must 
make timely, effective use of it. The pilot must be 
constantly cognizant of the aircraft health status, stores 
inventory, navigational position, and tactical situation, 
while simultaneously flying the aircraft, obtaining a fire 
control solution, selecting munitions, employing air defense 
countermeasures, evaluating component failure consequences, 
and updating response priorities. Although some of these 
tasks are currently being automated to some degree, the 
ШКепсгіз! for pilot overload during critical mission phases 


is still very significant. 
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С. НОМАМ PERFORMANCE 

Given the hazards outlined above, the capability for 
rapid, effective action to prevent or minimize critical 
component loss due to failure or damage must be enhanced 
correspondingly. Trained professional pilot capabilities 
notwithstanding, there is a limit to the number and 
complexity of operations that a person can perform in a given 
amount of time. Pilot functional overload is reached when: 

(1) Response time exceeds safe reaction time or; 
(2) Reaction complexity exceeds response 
capabilities. 

Human capabilities and limitations have been 
characterized by the Air Force Studies Board. Humans, asa 
system component, can perform numerous mission and flight 
essential functions which are not otherwise possible. They 
have well developed perceptual abilities, including visual 
and aural discrimination, pattern recognition, and speech 
comprehension. They are capable of flexible control, in that 
they can readily invent new procedures and adapt old ones to 
new circumstances. An unavoidable partner to this 
flexibility is a requirement for motivation. Humans perform 
best in active, mentally stimulating conditions, thus making 
them poor at repetitive tasking and watch-keeping. [Ref. 6:p 
34] 

The human brain possesses limited information processing 
capabilities. The speed at which data can be absorbed, 


processed, and responded to is finite, and can not be 
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appreciably increased. In addition, the human brain is 
basically a serial processor, able to perform multiple 
tasking only by rapidly switching through each one. (КеҒ. бір 
35] 

The errors associated with human information processing 
include precision, capture, and sequential errors. Precision 
errors are characterized by the incorrect identification of a 
state among many similar but distinct states. Capture errors 
occur when an incorrect, but familiar procedure is executed 
in place of the correct, less familiar one. Sequential 
errors refer to the improper order of step execution for a 
given procedure. The number and severity of the errors go 


up as the tasking increases. [Ref. 6:р 36] 
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IIli. OBJECTIVE : AUTOMATE ATRORAPTE SURV Ey ab citi 


MANAGEMENT 


Given the capabilities and limitations of human 
performance, there are three options available to enhance 
pilot effectiveness during critical (high workload) flight 
phases: 

(1) Improve pilot selection and training. 

(2) Increase the crew size. 

(3) Build ’intelligent’ cockpits. 
Option one would not be cost effective, because the calibre 
of today’s trained professional pilot is probably near the 
peak of human capability. The cockpit workload is simply 
threatening to exceed this capability. Option two has 
historically provided a workload reduction by delegation, but 
there are several disadvantages associated with the 
additional personnel. For example, it has been estimated 
that each additional 150-pound person in the cockpit requires 
approximately 10,000 pounds of additional support equipment 
(Ret. (62... J9]. It may be of greater importance to note 
that, ironically, the additional personnel does not always 
provide better performance. Complacency can compromise 
safety in a multi-piloted aircraft, when division of task 
load is not clearly defined. Recent design philosophy has 
shifted to one man operable cockpits, in part, for these 


reasons. Examples include the F-16, F/A-18, F-20, LHX, ATA, 
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ATF, and CASP. Even so, the Navy is now studying a proposal 
by McDonnell Aircraft Company for the development of a two 
seat operational version of the F/A-18 [Ref. 7]. The 
justification given implies that the additional crewman 
provides capabilities not otherwise possible with the 
automation technology that is curently available. Regardless 
of the number of seats, this conventional technology provides 
the pilot (and crew) with execution aids that, as opposed to 
autonomous employment aids, may not adequately reduce pilot 
tasking in critical flight phases. Building ‘intelligent’ 
cockpits, as option three suggests, could theoretically 
provide this needed reduction. There are numerous facets of 
the cockpit environment that could benefit from this ’built 
in’ intelligence, but this thesis is concerned with 
survivability. Therefore, consider the incorporation of a 
system specifically designed to actively assist the pilot in 
maximizing the aircraft’s survivability; a Survivability 


Manager. 


A. THE SURVIVABILITY MANAGER 
Whether civilian or military, the pilot is charged with 
three major responsibilities. In descending order of 
importance, they are: 
(1) Safety of personnel. 


(2) Effective employment of the aircraft. 
(3) Mission objectives. 


M 
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Any attempt to improve pilot performance must be measured 
against his/her success in meeting these goals. The most 
important measure of this success is survivability. With the 
advent of cockpit automation, pilot performance (and 
therefore survivability) has increased significantly. A 
logical next step is to automate the management of 


Survivability features and equipment; that is, give the 
aircraft a Survivability Manager designed to actively prevent 
or minimize any flight performance degradation that might 
result from a hazardous situation. 

The extensive use of microprocessor technology in modern 
aircraft design has provided subsystem status and control as 
a base on which to build. For example, most automated 
systems have built-in-test capabilities that self diagnose 
functional health. These data bases could be drawn upon by 
the Survivability Manager to monitor aircraft health and 
performance potential. Since many of these same subsystems 
are also computer operated, they may, in theory, be managed 
by a computer possessing ’quasi-human’ intelligence. 
Suppose, for example, that a component failure is detected. 
The Survivability Manager would selectivly reconfigure the 
remaining operational subsystems to functionally replace the 
failed component. The pilot has historically performed the 
reconfiguration, but a computer with a modest inference 


capability could also dat. 
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В. AUTOMATION GUIDELINES 

In selecting the functions to be automated, careful 
consideration must be given to the amount of interaction 
desired between the pilot and the Survivability Manager. A 
Strict division of functional responsibilities is not 
necessarily desirable. The degree of automation must be 
carefully considered for each potential application. 
According to Air Force studies [{Ref. 6:p. 39], the degree of 
automation employed should reflect the need to: 
1) Reduce excessive workload. 
2) Reduce errors. 
3) Improve performance. 
4) Add new capabilities. 

Computers will never be truly intelligent, like people. 
The subtle nuances and intuitive creativity of the human mind 
are beyond the physics of semiconductors. It is therefore 
difficult to conceive that pilots could be automated out of a 
job (the limited utility of remotely piloted vehicles (RPV) 
notwithstanding). However, there are many tasks that 
computers can perform as well as or better than people. They 
can complement pilot abilities by performing routine tasking 
or watch-keeping. In addition, they can supplement or extend 
pilot abilities. A case in point is the fly-by-wire flight 
control system for the DARPA X-29 forward swept wing 
aircraft. The dynamic instability of the aircraft is such 


that, without computer control, it would be ripped apart in a 
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fraction of a second. The pilot simply can not react quickly 


enough or precisely enough to directly control the aircraft. 


C. LIMITATIONS TO CURRENT AUTOMATION METHODS 

Conventional programming logics rely on exhaustive search 
and numeric methods to solve problems. These algorithms are 
incredibly fast at exceedingly tedious mathematical 
calculations, making them effective tools for automation of 
routine or well defined tasks. They do not lend themselves 
well to rational processes, where non-numeric facts and 
constraints must be considered. The conventional language 
program (such as FORTRAN) possesses a rigid response 
framework, from which it will analyze data and formulate 
results. To require such a program to select an optimal 
solution based on non-numeric considerations would invariably 
invite disaster. What is required is a pseudo-intelligent 
program, one that can reason in a quasi-human fashion; hence 


the term, ‘Artificial Intelligence’. 


ІУ. APPROACH : ENHANCE SURVIVABILITY WITH 


кор С 


Artificial Intelligence (AI) can be loosely defined as 
the condition wherein machines think, or at least seem to 
think, like people. Specific research in this relatively new 
field of study includes natural language, vision, symbolics, 
robotics, and expert systems. Expert systems, also referred 
to as knowledge based systems (KBS), are the AI studies to be 
addressed here. These systems use sophisticated problem 
solving techniques and vast stores of knowledge to solve 


problems that conventional programming methods can not. 


A. THE KNOWLEDGE BASED SYSTEM 

In order to build knowledge based systems, the software 
engineer must first be aware of the techniques that the human 
mind uses, consciously or not, to attack difficult problems, 
and the reasoning strategies used to guide the search for 
solution(s). According to Lenat [Ref. 8:p. 204], humans 
solve problems by applying their understanding of the 
regularities of the solution space to constrain the search. 
The techniques used to apply this understanding include: 


1) Formal reasoning: use formal logic methods such 
as resolution or structural induction. 


2) Heuristic reasoning: use statistical probability 
methods and if-then rules of thumb. 
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3) Focus: be oriented toward specific goals. 


4) Divide and conquer: break up a complex problem 
into smaller, simpler problems. 


5) Parallelism: work on several searches 
Simultaneously. 


6) Representation: attack the problem from 
several different perspectives. 


7) Analogy: recognize the similarities of a new 
problem to an old one. 


8) Synergism: use a multitude of simple 
relationships to solve a complex problem. 


9) Serendipity: gather data and look for patterns. 
It is essential to incorporate these techniques in the 
construction ot the expert system if it is to succeed at 
performing intelligently, but it is not sufficient. There 
must also be a reasoning strategy that guides the employment 
of these techniques. The two most common reasoning 
strategies are forward inferencing and backward inferencing. 
In forward inferencing the attempt is made to reason forward 
from the facts to a solution. In backward inferencing the 
system will assume a solution and try to find supporting 
evidence from the facts. 

Assuming that the KBS is constructed to employ the 
requisite reasoning techniques and strategies, it must also 
have access to an enormous amount of basic knowledge. This 
Knowledge base must be comprehensive and unpolluted in order 
to prevent deductive errors. Deductive errors include errors 


of omission (a known fact that is not provided), and errors 
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ето (informacion тарат that is inaccurate). 
Moreover, there is a fundamental limitation to which any 
logical reasoning process is subject: insufficient data. In 
other words, if "THIS follows from THAT" can be validated, 
then the system will answer YES. But if “THIS does not 
follow from THAT”, given an incomplete knowledge base, the 
system may not be able to answer NO. In order to obtain a 
KBS relatively free of deductive errors, the process of 
acquiring the knowledge from domain experts must be 
meticulous and exhaustive. Current techniques for knowledge 
acquisition are slow and painful, and if AI is to become 
truly practical, a more automatic means must be devised. 

When the rational thought processes are clearly 
understood, the software engineer can then begin to construct 
the knowledge based system (Figure 1). Fundamentally, this 
consists of a knowledge base and an inference engine [Ref. 
9:pp. 22-23]. The knowledge base is the store of facts and 
rules, provided by the domain expert, which pertain to the 
subject of interest. The inference engine performs the 
actual reasoning process using a combination of the reasoning 


tools and strategies described above. 


eet 


The interence engine is essentially a program that is 


capable to processing symbols that represent objects. In 
Assertions Question 
i i 
ү ү 
(Knowledges Basel = n mmn >[Inference Engine] 
y 


Answer(s) 


Figure 1. Knowledge Based System 


contrast to conventional computer applications, where symbols 
represent numbers and mathematical operations, the KBS symbol 
can represent a person, process, concept, or class of 
objects. The knowledge can be represented in several 
different formats, with each format used for the knowledge it 
represents best (Ref. 10:p. 32]: 


(1) Production rules; situation-action or premise- 
conclusion rules in which the first part (antecedent) 
represents some pattern, and the second part 
(consequent) represents a conclusion to be drawn when 
the data matches the pattern. They are useful in 
representing procedural knowledge. 


(2) Semantic networks; taxonomic scheme wherein 
objects are nodes and relationships are links 
between nodes. They are useful in representing object 
interrelationships. 


(3) Frames; format in which objects are represented 
by certain standard properties and by 
relationships with other objects. They are useful in 
representing large amounts of knowledge about 
object properties and relations. 
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(4) First order logic; formal method of representing 
logical propositions and relationships between 
propositions. Useful in representing knowledge 
in explicit terms. 

Ideally, the knowledge would be encoded within the knowledge 
base in the format that provides for the most efficient 


utilization for the current problem. 


БОО A SIMPLE KBS ILLUSTRATION 

A practical example will now be presented to illustrate 
the applicability of the KBS to aircraft survivability. The 
application to be considered incorporates both susceptibility 
reduction and vulnerability reduction logics for a simplified 
twin-engine aircraft fuel supply system. This fuel supply 
system consists of identical port and starboard subsystems 
which feed the port and starboard engines, respectively. The 
primary components of each subsystem include a feed tank, a 
transfer tank, and an external tank. The susceptibility 
reduction logics seek to avoid fuel starvation, through 
proper management of the available fuel supply. The 
vulnerability reduction logics seek to minimize the loss of 
usable fuel due to component failures. Тһе domain knowledge, 
which is encoded into the knowledge base, will be partially 
represented by a set of production rules, which would be 
provided by the domain expert (in this case the fuel system 
engineer). In this example, the rules may be divided into 
two groups; declarative rules and procedural rules. When the 
declarative rule antecedent conditions are satisfied, the SM 
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adds the consequent to the knowledge base as ап assertion. 
When the prcedural rule antecedent conditions are satisfied, 
the SM performs, or advises the pilot to perform, some 
action(s). In addition to the production rules, the knowledge 
base also contains facts that represent status of the fuel 
supply system’s critical components. These component status 
facts are continuously updated by reports from appropriate 
sensors. 

In a situation where probabilities must be considered, 
each declarative rule antecedent condition would be ’tagged’ 
with its derived probability. The probability of the 
consequent would then be computed using Bayes’ law or some 
other formal procedure of probability theory. For this 
example, all probabilities will be assumed to be 100 percent. 
In the following list of rules, the local variable ’X’ stands 
for either starboard or port, and is necessarily consistent 
only within a given rule. The local variable ’Y’ always 
stands for the opposite to the value of local variable ’X’. 
This effectively cuts the number of required rules in half, 
with a corresponding savings in required memory. A (D) is 
used to identify a declarative rule, and a (P) identifies a 


procedural rule. 


RULES: 
(1) IF FUEL FLOW PRESSURE TO ENGINE XT SFRT TCHR 0 


ENGINE X WILL HAVE SUFFICIENT FUEL TO MEET ENGINE X 
DEMANDS. (D) 
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(2) 


(3) 


(е) 


(5) 


(6) 


(7) 


(8) 


(9) 


(10) 


C11- 


(12) 


(13) 


(14) 


IF (FUEL FLOW PRESSURE TO ENGINE X IS LOW) AND 
(THROTTLE X IS CHANGED ABRUPTLY), THEN ENGINE 
X WILL CEASE TO FUNCTION. (D) 


IF FUEL FLOW PRESSURE TO ENGINE X IS ZERO, THEN 
ENGINE X WILL CEASE TO FUNCTION. (D) 


IF (FUEL IS AVAILABLE TO ENGINE X BOOST PUMP) AND 
(ENGINE X BOOST PUMP FUNCTIONS), THEN FUEL FLOW 
ЕТЕ ЛЫК lO ENGINE X IS HIGH. (D) 


IF (FUEL IS AVAILABLE TO ENGINE X BOOST PUMP) 
AND (ENGINE X BOOST PUMP FAILS FREE), THEN FUEL 
FLOW PRESSURE TO ENGINE X IS LOW. (D) 


IF (FUEL IS NOT AVAILABLE TO ENGINE X BOOST 
PUMP) OR (ENGINE X BOOST PUMP FAILS FROZEN), 
THEN FUEL FLOW PRESSURE TO ENGINE X IS ZERO. (D) 


IF (FUEL IS AVAILABLE TO FIREWALL SHUTOFF VALVE X) AND 
(FIREWALL SHUTOFF VALVE X IS OPEN), THEN FUEL IS 
AVAILABLE TO ENGINE X BOOST PUMP. (D) 


IF (FUEL IS NOT AVAILABLE TO FIREWALL SHUTOFF VALVE X) 
OR (FIREWALL SHUTOFF VALVE X IS CLOSED), THEN FUEL IS 
NOT AVAILABLE TO ENGINE X BOOST PUMP. (D) 


IF (ENGINE X BOOST PUMP FAILS FROZEN) OR (FEED TANK X 
EJECTOR PUMP IS CLOGGED) OR (ENGINE X FUEL DEMAND IS 
ZERO), THEN CLOSE FIREWALL SHUTOFF VALVE X. (P) 


IF (FEED TANK X QTY IS NOT ZERO) AND (FEED 
TANK X EJECTOR PUMP IS CLEAR), THEN FUEL IS 
AVAILABLE TO FIREWALL SHUTOFF VALVE X. (D) 


IF (FEED TANK X QTY IS ZERO) OR (FEED TANK X 
RJECTOR PUMP) 1S CLOGGED), THEN= FUEL IS NOT 
AVAILABLE TO FIREWALL SHUTOFF VALVE X. (D) 


IF (FEED TANK X FUEL QTY IS LESS THAN MINIMUM) AND 
(FIREWALL SHUTOFF VALVE X IS OPEN), THEN (OPEN FEED 
TANK INTERCONNECT VALVE) AND (FLY WINGS LEVEL). (Р) 


If (FEED TANK X QTY IS FULL) AND (FUEL CAN NOT BE 
TRANSFERRED FROM EXTERNAL TANK X OR TRANSFER TANK X 
TO FEED TANK X), THEN CLOSE THE FEED TANK 
INTERCONNECT VALVE. (P) 


IF (TRANSFER TANK X EJECTOR PUMP FUNCTIONS) AND 


(TRANSFER TANK X QTY IS NOT ZERO), THEN FUEL IS 
TRANSFERRED FROM TRANSFER TANK X TO FEED TANK X. (D) 
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1599) 


(16) 


(Ем) 


(18) 


(19) 


(20) 


(24) 


(22) 


(297 


(24) 


(25) 


IF (FEED TANK X IS FULL) AND (FUEL IS 
TRANSFERRED FROM EXTERNAL TANK X OR TRANSFER 
TANK X OR FEED TANK Y TO FEED TANK X), THEN 
EXCESS FUEL IS VENTED TO TRANSFER TANK X. (D) 

IF (TRANSFER TANK X QTY IS ZERO) OR ((EJECTOR PUMP 
FAILS) AND (TRANSFER TANK X CHECK VALVES FAIL 
CLOSED)), THEN FUEL CAN NOT BE TRANSFERRED FROM 
TRANSFER TANK X TO FEED TANK X. (D) 


IF (EXTERNAL TANK X QTY IS NOT ZERO) AND (THE 
EXTERNAL TANK PRESSURIZATION VALVE IS OPEN), 
THEN FUEL IS TRANSFERRED FROM EXTERNAL TANK X 
ТО КЕЕР ТАМК Х. (В) 


IF (EXTERNAL TANK X QTY IS ZERO) OR (THE EXTERNAL 
TANK PRESSURIZATION VALVE FAILS CLOSED), THEN FUEL 
CAN NOT BE TRANSFERRED FROM EXTERNAL TANK X TO FEED 
TANK X. (р) 


IF EXTERNAL TANK X QTY IS GREATER THAN ZERO AND LESS 
THAN TRANSFER TANK X (CAPACITY MINUS QTY), THEN OPEN 
EXTERNAL TANK PRESSURIZATION VALVE. (Р) 


IF (EXTERNAL TANK X QTY PLUS EXTERNAL TANK Y QTY IS 
ZERO) AND (THE EXTERNAL TANK PRESSURIZATION VALVE IS 
OPEN), THEN CLOSE THE EXTERNAL TANK PRESSURIZATION 
VALVE. (P) 


IF (FEED TANK INTERCONNECT VALVE IS OPEN) AND 
(WING X IS LOWER THAN WING Y), THEN FUEL IS 
TRANSFERRED FROM FEED TANK Y TO FEED TANK X. (В) 

IF (FEED TANK INTERCONNECT VALVE IS CLOSED) OR (FEED 
TANK Y QTY IS ZERO) OR (WING Y IS LOWER THAN WING X) 
OR (FEED TANK X AND TRANSFER TANK X QTY IS FULL), 
THEN FUEL САМ МОТ BE TRANSFERRED FROM FEED TANK Y ТО 
FEED TANK X. (D) 


IF FUEL TANK X INTEGRITY IS SEALED, THEN FUEL TANK X 
WILL HOLD UP TO FUEL TANK X CAPACITY UNTIL SUCH FUEL 
IS TRANSFERRED OUT OF FUEL TANK X. (D) 


IF (EXTERNAL TANK X IS RUPTURED) AND (EXTERNAL 
TANK X QTY IS NOT ZERO), THEN OPEN THE 
EXTERNAL TANK PRESSURIZATION VALVE. (P) 


IF (TRANSFER TANK X IS RUPTURED) AND (FUEL CAN BE 
TRANSFERRED FROM EXTERNAL TANK X OR TRANSFER TANK X 
TO FEED TANK X), THEN (OPEN THE FEED TANK 


INTERCONNECT VALVE) AND (FLY WING Y DOWN). (P) 


PACTS: 


(1) ВН EXTERNAL TANK QTY IS (ZERO/PARTIAL/FULL). 

(2) LH EXTERNAL TANK QTY IS (ZERO/PARTIAL/FULL). 

(3) RH TRANSFER TANK QTY IS (ZERO/PARTIAL/FULL). 

(4) LH TRANSFER TANK QTY IS (ZERO/PARTIAL/FULL). 

(5) RH FEED TANK QTY IS (ZERO/MIN/PARTIAL/FULL). 

(6) LH FEED TANK QTY IS (ZERO/MIN/PARTIAL/FULL). 

(7) RH EXT TANK INTEGRITY IS (SEALED/RUPTURED). 

(8) LH EXT TANK INTEGRITY IS (SEALED/RUPTURED). 

(9) RH TRANS TANK INTEGRITY IS ( SEALED/RUPTURED) . 

(10) LH TRANS TANK INTEGRITY IS (SEALED/RUPTURED). 

(11) RH FEED TANK INTEGRITY IS (SEALED/RUPTURED). 

(12) LH FEED TANK INTEGRITY IS (SEALED/RUPTURED) . 

(13) RH ENGINE BOOST PUMP IS 
(FROZEN/FREE/FUNCTIONAL). 

(14) LH ENGINE BOOST PUMP IS 
(FROZEN/FREE/FUNCTIONAL). 

#15) RHeFEED TANK EJECTOR PUMP IS 
(CLOGGED/CLEAR) . 

ШӘ) ІН FEED TANK EJECTOR PUMP IS 
( CLOGGED/CLEAR) . 

(17) RH TRANSFER TANK EJECTOR PUMP IS 
(CLOGGED/CLEAR) . 

(18) LH TRANSFER TANK EJECTOR PUMP IS 
(CLOGGED/CLEAR). 

(19) FEED TANK INTERCONNECT IS (CLOSED/OPEN). 

(20) RH FIREWALL SHUTOFF VALVE IS (CLOSED/OPEN ). 

ШІ)! ІН BIREWALL SHUTOFP VALVE IS (CLOSED/OPEN). 

(22) EXTERNAL TANK PRESSURIZATION VALVE IS 


oe 
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(CLOSED/OPEN ). 


(23) RH WING IS (HIGHER/LOWER) THAN LH WING. 


Consider the knowledge base above. The SM’s function, 
with regard to the fuel supply system, is to ensure that fuel 
15 available to meet engine demands as long as possible. This 
maintained availability is the desired goal state toward 
which the SM must constantly strive. It is therefore logical 
to use a backward inferencing strategy to achieve this goal 
state. AS an initial state, suppose all components are 
functioning correctly (as would normally be the case), and 
that all six fuel tanks are full of fuel. The SM will be 
monitoring both port and starboard fuel supply subsystems 
simultaneously. If the fuel supply to the starboard engine 
is of current interest, then ’X’ corresponds to starboard, 
and 'Y° corresponds to port. Starting with the consequent of 
Rule 1 (i.e. ENGINE X WILL HAVE SUFFICIENT FUEL TO MEET 
ENGINE X DEMANDS) as the hypothetical result, the inference 
engine attempts to satisfy the conditions of the antecedent 
(i.e. FUEL FLOW PRESSURE TO ENGINE X IS HIGH). It searches 
the knowledge base for a sequence of actions, combined with 
current facts, that will culminate in the maintenance of 
these conditions. 

Although the fuel flow pressure is in fact already high 
in the initial state, it is not guarenteed to stay high. 


Therefore, the SM continuously cycles through the knowledge 
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base, searching for a sequence of actions to take that will 
ensure that the fuel flow pressure remains high for as long 
as possible. In this way, the SM finds that the consequent 
of Rule 4 satisfies the antecedent of Rule 1; that Fact 13 
(functional boost pump) and the consequent of Rule 7 combine 
to satisfy the antecedent of Rule 4; that Fact 20 (open 
firewall shutoff valve) and the consequent of Rule 9 combine 
to satisfy the antecedent of Rule 7; and finally, that Fact 
5 (full feed tank) and Fact 20 (clear ejector pump) combine 
to satisfy the antecedent of Rule 9. Thus the, initial state 
conditions (facts) are sufficient to achieve the goal state 
conditions (hypothesis), as long as the initial conditions 
due not change. However, conditions must change; fuel must 
flow. 

As the feed tank fuel is transferred to the engine, the 
transfer tank automatically replenishes the feed tank, via 
the transfer tank ejector pump and check valves (Rule 14). 
This transfer rate is greater than any engine demand rate 
possible, and the excess is vented back into the transfer 
tank (Rule 15). All of this happens without SM intervention. 
The SM will intervene only when procedural rules are fired 
(i.e. the antecedent is satisfied). 

When the quantity of fuel in the transfer tank plus the 
quantity of fuel in the external tank is less than the fuel 
capacity of the transfer tank, the antecedent of Rule 19 is 


‘Satisfied and the SM directs that the external tank 
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pressurization valve be open. If completed, this actions 
reflected by a change in Fact 22 (pressurization valve open) 
which, along with Fact 1 (external tank full), satisfies Rule 
17. Rule 17 then ’asserts’ that fuel is transferred from the 
external tank to the feed tank. Finally, by Rule 15, the 
transfer tank is replenished until, by Rule 20, the external 
tank pressurization valve is closed. 

Now, suppose that the starboard transfer tank begins to 
lose fuel and that the appropriate sensor reports this 
failure. Ideally, the sensor would report the failure cause, 
mode, and degree. In this example, the mode is reported to 
be a loss of usable fuel, the cause might be projectile 
penetration, and the degree might be a gallon per minute. 
Although the cause and degree of the fuel loss may not be 
easily assessed, knowledge of the failure mode supplies 
sufficient data for the SM to attempt to minimize the 
degradation of fuel system performance. Rule 25 is fired by 
the reported failure, causing the SM to direct the opening of 
the feed tank interconnect valve and the lowering of the left 
wing. These actions update Fact 19 (interconnect open) and 
Fact 23 (left wing down), which allows fuel to be transferred 
to the port fuel tanks. This action conserves fuel that 
would otherwise be lost via the leaking tank. When the 
starboard feed tank quantity drops below a predefined 
minimum, Rule 12 is fired, which allows the port feed tank to 


refill the starboard feed tank. When the starboard feed tank 
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is again filled, Rule 13 is fired, which prevents fuel from 
being vented back into the ruptured tank. The SM will then 
cycle between Rule 12 and Rule 13 until a new fact fires some 
other rule(s) into action. 

This example has been oversimplified in the interest of 
brevity and clarity. Obviously, there are other effects to 
consider, such as fire hazards or significant structural 
damage, associated with the damage/failure processes that led 
to the loss of integrity of the starboard fuel transfer tank. 
In addition, the remedial actions taken must be weighed 
against possible adverse affects on the performance of other 
systems. In this case, the flight control system may not be 
able to trim out the lateral weight imbalance resulting from 
the fuel redistribution from the starboard wing to the port 
wing. It is assumed that the knowledge base would be 
comprehensive enough to enable the SM to foresee and resolve 
such conflicts, within the paramount constraint to sustain 


controlled flight as long as possible. 
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У. Al APPLICATIONS TO AIRCRAFT SURV ВЕНЫ 


Aircraft combat survivability enhancement studies 
emphasize the needs of the military aircraft in combat 


conditions. Specifically, they seek to prevent enemy air 


defenses from engaging friendly aircraft (susceptibility 
reduction) and/or limit the damaging effects of such 
engagements (vulnerabilty reduction). However, these studies 
are not exclusively applicable to military aircraft in combat 
conditions. For example, the development of collision 
avoidance equipment for civil aircraft is also an application 
of susceptibility reduction principles. Similarly, 
vulnerability reduction studies are relevant to all aircraft, 
in that they are concerned with component failures which may 
or may not be the result of damage that is intentionally 
inflicted. Whether the aircraft is civil or military, 
artificial intelligence will have widespread application 
assisting the pilot in managing the systems involved. With a 
Survivability Manager on board, the pilot will be free to 


concentrate on flight safety and mission objectives. 


А. SUSCEPTIBILITY REDUCTION 


Tx Military Alrerafrt 


There are six general concepts which can be employed to 


reduce the susceptibility of military aircraft to combat 
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damage: threat warning, noise jammers and deceivers, 
signature reduction, expendables, threat suppression, and 
tactics [Ref. 1l:pp. 198-221]. All of them can be enhanced to 
some degree by AI management. 
a. Threat Warning 

Any on board equipment that senses and analyzes 
enemy electromagnetic emissions must make this data useful to 
the pilot. Simply inundating him/her with nonprioritized and 
possibly extraneous data may well serve to lessen his/her 
effectiveness, rather than increase it. He/she is primarily 
concerned with the enemy’s tracking, illuminating, and 
guidance emitters, and he/she must react to these emitters in 
the order of descending response urgency. AI is capable of 
servicing these requirements. In addition, the emitter 
Classification and status determination can clearly benefit 
from Al’s ability to draw logical inferences from bodies of 
evidence of various levels of abstraction inherently 
containing some degree of uncertainty. 

b. Noise Jammers and Deceivers 

Timely and effective employment of these 
electromagnetic countermeasures devices is dependent on 
careful consideration of the dynamic tactical environment in 
which the aircraft is operating. Obviously, this is an area 
where the pilot could use an ’assistant’ to suggest or 


actively control such employments. The Survivability Manager 
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could provide this assistance, given that it has access to a 
knowledge base describing the tactical environment. 
с. Signature Reduction 
The aircraft signature includes radar cross 
section, infrared radiation, visible and acoustic emissions, 


and electromagnetic emissions from active sensors and 


communications equipment. The state of current technology 
could provide the pilot, and so the SM, with signature 
reduction features that give some control over the magnitude 
of these detectable emissions. For example, an 
electromagnetic (EM) emitter master disable switch could be 
provided, to effect total EM silence instantly on demand. 
The optimum utilization of these features can be suggested, 
or autonomously effected, by a properly programmed SM. 
d. Expendables 
Arguments identical with item (b). 
e. Threat Suppression 
This refers to actively neutralizing the threat 
through weapons employment. Although AI would undoubtedly 
find application with offensive tactical weapons employment, 


it is an entire study in itself, and will not be pursued 


here. 
Е. Tactics 
Tactics refer to the way in which the aircraft is 
employed in combat. An example of a tactic used to reduce 


aircraft susceptibility is to fly an aircraft profilem io 
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will minimize the exposure time to the threat. The SM could 
suggest defensive tactics if, as assumed in item (b), it has 
access to knowledge bases concerned with the mission 
requirements and the tactical environment. 

Б. Integrated Features 

The greatest potential will be achieved with a 
Survivability Manager designed to use an integrated systems 
approach. For example the data from threat warning devices 
could be analyzed to allow maximum effectiveness in the 
various countermeasures employments. In addition, the 
information could be presented so as to suggest defensive 
maneuvers (tactics) that would give the threat emitters the 
widest possible berth. 
2. Civil Aviation Aircraft 

Most of the susceptibility reduction techniques apply 
only in man-made hostile environments. Threat warning stands 
out as the notable exception when the term ’threat’ includes 
those which are non-military. Within this definition, 
threats include environmental extremes, material failures, 
and human errors. 

a. Environmental Extreme 

Currently, most of the information that is 

provided to the pilot concerning environmental extremes 
comes, if at all, from sources outside of the aircraft. 
These sources include preflight weather briefs, in flight 


updates from Flight Service Stations, and Pilot Reports. 
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Weather radars are the only widely available on board device 
capable of warning of weather hazards, and they are limited 
to the detection of thunderstorms and heavy precipitation. 
The development of aircraft wind shear detection systems will 
provide a real time alert for wind shear hazards, allowing 


the pilot to better prepare for their effects. The sensor 


data could also be fed to the SM, which could then suggest 
(if not execute, in time critical situations) steps to avoid 
or withstand the threat. Like the pilot, the SM will be most 
effective when the aircraft sensors can provide a nearly 
complete picture of the external environment. 
b. Material Failure 

Component material failures generally can not be 
accurately predicted in flight. Either they are long term 
phenomena, monitored by sophisticated ground maintenance 
equipment and replaced well before failure occurs, or they 
fail too rapidly to allow any pilot warning. However, there 
are Situations where appropriate action can be taken in 
flight to avoid specific component failures. For example, 
Strain gages might be placed at strategic stress points in 
the wing structure. The data from these sensors could be 
compared with known structural strength limits to 
conitnuously update the ’g’ load limits. In the event of 
unavoidable overstress conditions or structural damage, the 
pilot would have a means to asses the new ’g’ load that may 


be safely applied to the aircaft. This principle of health 
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awareness can be applied throughout the aircraft, giving the 
SM the means to monitor the material strenth of major load 
bearing components and to take steps to prevent them from 
failing. 
c. Human Error 

The threat of human error is probably the hardest 
to detect, due to the complex and unpredictable nature of the 
human mind. Nevertheless, many errors can be detected in the 
period after commission and prior to any irreversible 
consequences. Since pilot error is the most often cited 
cause/factor in accident investigation reports, it may be 
inferred that the complacent and/or inexperienced pilot is 
currently the most serious threat to aviation safety. Though 
no amount of assistance can replace good judgment or 
professional airmanship, a timely caution might have saved 
many competent pilots from their one fatal mistake. An SM 
programmed to monitor normal and emergency procedures, with 
status sensor relays from the controls involved, could warn 
against, if not actively prevent, such procedural blunders. 
This is a logical sophistication of the warning, caution, and 
advisory lights, which are designed as procedural decision 


aids for the pilot. 


B. VULNERABILITY REDUCTION 
Vulnerability reduction features attempt to minimize the 


degradation of aircraft performance as the result of combat 
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damage. There are six general concepts used in the design of 


these features [Ref. 1:pp. 269-306]: 


(1) Component redundancy (with separation). 
(2) Component location. 

(3) Component shielding. 

(4) Component elimination. 

(5) Passive damage suppression. 

(6) Active damage suppression. 


Although designed specifically for the reduction of | 
vulnerable area presented to a combat damage mechanism, these 
concepts may be applied to aircraft vulnerability reduction 
for threats in general. Most of the vulnerability reduction 
techniques are hardware design options, and do not lend 
themselves to direct pilot (or SM) control. The exceptions 
are active damage suppression and component redundancy, 
seperately or in combination. 

Active damage suppression features reduce vulnerability 
by containing or minimizing the terminal effects of a damage 
mechanism to a critical component, contingent upon detection 
of those terminal effects by an appropriate sensor. For 
example, the penetration (the terminal effect) of an engine 
lube oil sump (the critical component) by a blast generated 
fragment (the damage mechanism) will lead to the eventual 
seizure of the engine. The engine oil pressure guage 
indicates the resulting loss in oil pressure, allowing the 
pilot to preemptively secure the engine. Although the engine 
is functionally lost in either case, the difference in pilot 


action could make the difference in surviving the loss. 
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Component redundancy is achieved when the flight 
essential function (eg. lift, thrust, or control) that a 
component is designed to provide is preserved, even after the 
functional loss of that component. Ideally there will be 
several alternative components, or groups of components, 
which are capable of performing the same essential function. 
This critical component redundancy may be physical or 
neti onal, partial or total, concWrrent or contingent. If 
it is contingent, there must be some controlling mechanism 
that will sense the failure and subsequently activate the 
redundancy. In its simplest form, the redundancy activation 
mechanism can be reflexive, as in the deployment of a ram air 
turbine when total loss of electrical power is sensed by a 
solenoid. This technique is of limited application where the 
complexity and degree of degradation require careful 
consideration in the context of the current operational 
environment. For example, consider a Navy tactical aircraft 
making a field recovery. Failure of the landing gear 
breaking system during the landing roll may dictate either a 
long field arrestment or a go-around to a short field 
arrestment. Automatically lowering the arresting hook upon 
break failure is not an appropriate remedy, and could in fact 
lead to disasterous consequences. In such cases, a more 
sophisticated mechanism is required to activate the 
redundancy. This sophistication can be provided by either 


the pilot or the Survivability Manager. 
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The principles of component redundancy and active damage 
Suppression can be applied together to synergistically 
improve aircraft survivability. For example, a redundant 
control rod that is jammed (the terminal effect), as a result 
of blast-generated fragment impact (the damage mechanism), 
could be disengaged from the control linkage by means of an 
override switch (the active damage suppression feature). 

Once the jammed component is correctly identified by the 
appropriate sensor, the pilot or the SM could disengage the 
jammed rod (active damage suppression) and engage the 
remaining functional rod (component redundancy). 

The most productive method for determining the functional 
redundancies available for a particular aircraft design is to 
refer to its critical component analysis. Specifically, the 
kill tree (or kill expression) provides a clear presentation 
of these relationships, for a given kill level (i.e. degree 
of performance degradation), ina given flight phase (eg. 
take off, climb out, en route cruise, etc.). The task of 
developing the knowledge base for the Survivability Manager’s 
vulnerability reduction logics can be further simplified by 
encoding the failure modes and effects analysis (FMEA) aiong 
with the fault tree analysis (FTA) conducted for that 
aircraft into the knowledge base. When thoroughly performed, 
this study reveals not only the result of a particular 
component failure but also any backup systems capable of 


performing its functions This information, alone with 
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component functional status, comprises the necessary data 
required by the inference engine to correctly deduce and 


compensate for the failed component. 


C. RELATED RESEARCH 
1. Pilot’s Associat A 
Underwritten by the Defense Advanced Research 
Projects Agency (DARPA) through its Strategic Computing 
Program (SCP), the Pilot’s Associate is being developed by 
the Air Force’s Wright Aeronautical Laboratory (AFWAL). 
Essentially, it is expected to assist the single seat fighter 
pilot by providing ’phantom flight crew’ (i.e. copilot, 
weapon system operator, navigator, and flight engineer) 
expertise in both critical and non-critical situations. 
Initially, it will consist of four interactive expert systems 
mef. 11:pp 8-12): 
(1) A Situation Assessment Manager to assess the 
external environment as well as internal 
resources. 
(2) A Tactical Planning Manager to recommend optimum 
tactical employment of the aircraft, given 
mission objectives and restrictions. 
(3) A Mission Planning Manager to refine and 
redefine mission objectives, given current 
situation, command, and intelligence inputs. 
(4) A System Status Manager to monitor and diagnose 
total system health and current/projected 
status of all on-board systems. 


The Survivability Manager proposed in this thesis is 


partially assimilated to different degrees by each of the 
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PA’s four defined managers. If it were included as a 
separate manager, it would interact with the other ’managers’ 
to provide the pilot with an assistant whose primary purpose 
15 to manage the lower level survivability decision 
processes. 

2. Self-Repairing Flight Control” Systenmis7 haus 

This is another AFWAL research project. The S/R FCS 
will maintain post failure flight stability in fly by wire 
(FBW) flight controls by reconfiguring the multiple 
redundancies in control surfaces. Current FBW aircraft do 
not have this capability to recognize and account for 
structual damage through modification of the control laws 
that govern FBW operation [Ref. 12:pp 4-8]. Although 
originally developed for use in the Advanced Tactical Fighter 
(ATF), the principles would apply to all future combat 
aircraft and may even find limited applicability in 
retrofitting existing models. The SM could provide the S/R 
FCS with the functional status of the various flight contro 
components, so that raconfiguration may be as smooth and 
effective as possible. 

3. Fully Automatic Digital Engine Control (FADEC) 

Under development at the Naval Weapons Center, a 
major goal of the FADEC program is to significantly reduce 
engine vulnerability by fully automating the regulation of 
engine controls. Given a thrust requirement from the pilot, 


the system would adjust the control configuration to provide 
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optimum (post-battle-damage) performance. Algorithms are 
being developed to make the appropriate adjustments, once the 
trouble has been identified [Ref. 13]. AI will undoubtedly 
provide the means to make the identification, based on 
available sensor data. 


4. Computerized Automatic Test Equipment 


Conducted by the Navy Research Laboratory, the 
investigation centers around the development of a computer 
generated testing strategy leading to implementation of 
software for Built-in-Test (BIT) equipment [Ref. 14:p. 67]. 
This would provide the SM with a fault detection/isolation 
capability enabling rapid evaluation and reconfiguration of 
functional subcomponents. 

5. Collision Avoidance System (CAS) 

On board collision avoidance systems are currently 
being independently developed by several avionics firms to 
give pilots advance warning in situations where collision 
with other aircraft is imminent. The CAS uses a miniaturized 
version of the ground based air traffic control radar which 
interrogates transponder equipped aircraft (most are) in the 
vicinity for barometric altitude. This information, along 
with accurate range and bearing information provided by the 
radar itself, is used to predict collision hazards [Ref. 
15:pp 48-53]. There are various schemes used to advise the 
pilot of these hazards and to suggest avoidance maneuvers, 


but none use Al. Certainly, such a system could be 
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integrated with the SM to subtly initiate the avoidance | 
maneuvers even before the pilot is aware of the hazard. 
6. Terrain Avoidance Radar 
These radars are sophisticated versions of the simple 
radar altimeter which is found on all IFR certified aircraft. 
In both cases, their function is to provide accurate ground 
clearance information. This information is analyzed by 
either the pilot or the automatic pilot, in terrain following 
or terminal approach evolutions. It could also be made 
available to the SM as a backup monitor to warn against, and 
possibly prevent, unintentional collision with the ground or 
water. 
7. Wind Shear Detection and Alerting System 
Built by Sperry Corporation as a part of the 
Performance Management System (PMS) and currently under 
company evaluation, this system senses significant changes in 
horizontal and vertical relative wind velocity (wind shear) 
and alerts the pilot with advisory lights, so that 
appropriate compensation can be initiated well before the 
pilot could otherwise detect the hazard {Ref. 16:pp. 30]. By 
feeding this information directly to the autopilot, the SM 
could initiate corrective action even sooner. 
8. Integrated Electronic Warfare System (INWES) 
The INWES program is expected to enhance aircraft 
survivability by providing crew members with eloctro-optical 


and elctromagnetic threat warning and, if required, indicate 
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an appropriate countermeasure response. Weapon system 
synergism is effected by using information provided by other 
on board sensors and subsystems, such as communications, 
navigation, and external sensors [Ref. 17:pp. 31-34]. INWES 


primary processing is an obvious candidate for KBS 


application. 
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VI. DESIGN REQUIREMENTS 


Given the benefits of a Survivability Manager in the 
cockpit to assist the pilot in survivability management, the 
most challenging task to be undertaken (aside from funding) 
is the actual design and construction of the SM. The first 
step towards this goal is to define exactly what functions 
the SM is expected to perform. Once this is done, it remains 
to determine whether the required hardware, software, and 
sensors exist in practical form. If not, is the technology 
available to fabricate them? Finally, the system must be 
tailored to the specific systems and physical constraints of 


its parent aircraft. 


A. FUNCTIONAL REQUIREMENTS 

In order to define the functional requirements for the 
SM, it is useful to first characterize the pilot в duties and 
responsibilities with regard to survivability. The pilot 
might be considered a physician of sorts, and his aircraft a 
patient. He must constantly be aware of the health of his 
aircraft. He must rapidly and accurately diagnose any 
problems and prescribe a suitable remedy. Of course, a real 
doctor would have the benefit of easy access to exhaustive 
reference material, as well as the invaluable ’зесопа 


Opinion from other doctors.: With the advent of AI, the 


or 


physician has also been given the means to obtain this second 
opinion from a machine. MYCIN is an example of such a 
medical expert system, one that is concerned with blood 
infections and meningitis infections. Via interactive 
consultation, the doctor inputs the symptoms and vital 
statistics, and MYCIN produces a diagnosis and recommends 
appropriate therapy [Ref. 18:pp. 39-44]. Clearly, this 
Survivability Manager for people can find useful application 
to aircraft, with an appropriate knowledge base. The major 
difference is that the health would be directly monitored by 
the SM. 

The Survivability Manager can be designed to perform a 
myriad of tasks which would otherwise require excessive pilot 
action or consideration. Regardless of the scope of 
involvement, the system must accomplish its tasking in five 
basic phases: monitor, predict, detect, analyze, and respond. 

1. Monitor Aircraft Health and External Environment 

The human brain can not reason without data, and the 
expert system is no different in this respect. They both 
require a nervous system, with suitable internal and external 
environment sensors, to gather and convey this data. In the 
cockpit, the data required can be obtained either by direct 
sensor relay, or indirectly by subsystem self-diagnostics 
Polling. 

External sensors provide the data required by the 


susceptibility reduction logics to forecast external hazards. 
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Examples include radar altimeter апа collision avoidance 
radar. Internal sensors can be further subdivided into 
susceptibility reduction sensors and vulnerability reduction 
sensors. Susceptibility reduction sensors are concerned with 
control and actuator position reporting, providing positive 
feedback while monitoring normal and emergency procedures. 
If critical steps are omitted or transposed, susceptibility 
goes up for the hazards these procedures are established to 
avoid. Vulnerability reduction sensors report component 
and/or subsystem failure mode and degree. A complete, 
current picture of aircraft health is required for 
vulnerability reduction logics to determine the most 
effective subsystem reconfiguration possible. 
2: Predict Hazards 

The susceptibility reduction logics rely on external 
and internal sensors to provide thedata pertaining to 
proximity to hazardous conditions. To be effective, these 
logics must be able to deduce the hazard well before it 
precipitates any component failures. This requires a 
cause-and-effect reasoning capability which the expert system 
can theoretically supply. By extrapolation, the hazard may 
be argued to include equipment malfunction and pilot 
oversight. For example, a combat aircraft executing covert 
ingress to the target may unintentionally be radiating some 
form of electromagnetic energy. Note that, in this example, 


the logics must be cognizant of the flight mission and phase. 
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This would suggest an interface with the ’mission manager of 
the Pilot’s Associate program, under development at the Air 
Force Wright Aeronautial Laboratory. 
3. Detect a Tsolat i lure 

When a hazard can not be avoided, its damaging 
affects must be sensed before suitable vulnerability 
reduction measures can be applied. Failure mode and degree 
must be accurately reported to ensure the widest possible 
range of corrective actions available. Failure mode is the 
nature of functional degradation, while failure degree is the 
measure of its completeness. For example, a failure mode for 
an engine may be a partial loss of thrust with a degree of 
eighty-five percent maximum rated thrust available. The 
precise determination of the mode and degree of component 
failures requires a high degree of sensor sophistication and 
proliferation. Fortunately, most subsystems in modern 
aircraft are constructed with built-in-test circuits which 
can provide the bulk of this information. The remainder will 
have to be gathered by sensors designed for specific 
survivability applications. For example, sensors designed to 
report structural removal and over-stress conditions would 
prove invaluable in real time determination of performance 
limits. 

4. Determine Optimal Response 
In a multi-factored scenario, such as an aircraft in 


flight, there can be several plausible alternatives to act 
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upon at any given decision point. Only one can be selected, | 
апа a great deal of time can not be consumed in the 
selection. A knowledge based system with sufficient memory 
available can, in theory, identify and explore each viable 
alternative and present them to the pilot. Further, it can 
prioritize the list by optimal consistancy with flight Sager, 
and mission objectives. This is the essence of the utility 
of the expert system in survivability enhancement; the 
ability to determine the best course of action based on the 
analysis of internal and external data, given pre-defined 
non-numeric constraints. 
5. Advise or Act 

Once presented with the various alternatives, the 
pilot may or may not choose to act on the one that the expert 
system suggests. His decision would be based on factors it 
has not been provided for consideration. For example, the 
Pilot may be the lead in a two plane flight, in which case 
the impact of his actions on his wingman must be considered. 
Conversely, it is conceivable that the situation may dictate 
an immediate response to prevent a catastrophic failure. A 
case in point is a sudden wind shear during final approach, 
resulting in excessive vertical drop. A properly programed 
expert system with suitable control interfaces could initiate 
compensation procedures well before the pilot could react, 


increasing the chances of Surviving the hazard. 
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Clearly, an enable switch must be provided to give the 
pilot the prerogative to allow the expert system to act 
autonomously. Further, the pilot should be able to select 
the type and degree of autonomous tasking that the expert 
system is allowed to perform. In any case, the SM must 


inform the pilot of any actions taken. 


B. SYSTEMS REQUIREMENTS 
Today, the AI discipline is largely within the pure 
research stages, with a limited number of systems thus far 
developed for solving problems of modest complexity. 
However, enough is known to estimate general system 
requirements for an expert system for practical applications. 
1. Hardware 
The Survivability Manager must be able to react in 
real time to a dynamic, complex set of internal and external 
conditions. This equates to a need for extremely high speed 
processors and access to very large memories. 
a. Processors 
The so-called ’super computers’, employing the 
conventional Von Neumann serial processing architecture, are 
being built with clock cycle times close to their minimum 
useful limit. Since an electrical pulse can only travel .3 
meters іп а nanosecond, the clock rate is beginning to 
constrain the very size of the computer. And yet, a 


nanosecond may not be small enough in a Serial processor for 
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the enormous number of inferences per second required of an 
SM of modest capability. Goodyear Aerospace’s Massively 
Parallel Processor (MPP) is an example of a new approach to 
this problem, one that may prove both faster and cheaper 
[Кеё. 19:рр. 20-28]. The MPP design is essentially a 
physical representation of the ’parallelism’ problem solving 
technique listed in Chapter VI. By building a system with 
hundreds, or even thousands, of processors which operate 
independently, the solution space search can theoretically be 
completed in a corresponding fraction of the time. However, 
there are some major obstacles to the development of parallel 
processing machines for practical AI applications. For 
example, processor interconnections and memory access schemes 
must provide for efficient use of available processing 
capabilities. Moreover, some means must be devised to break 
down the problem and equitably distribute the pieces. 

b. Memory 

It has been said that knowledge is power, and 

this is painfully evident to expert systems engineers. They 
have found that the size of the knowledge base iS even more 
important than the efficiency of the inference engine. DARPA 
has estimated that a 10,000 rule expert system is the minimum 
size that could have practical military applications. Most 
currently operational expert systems have fewer than 500 
rules. The implication is that massive memory facilities 


must be accessible to the SM, facilities that are not 
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currently available. The current expert system computer 
architecture utilizes an 18 bit address, providing a maximum 
of 262,144 addresses. The 32 bit address computer, providing 
for a maximum of 4.3 billion addressable memory locations, is 
seen as the logical choice for future expert systems. 
2. Software 

The expert system can not be efficiently programmed 
using a conventional language, such as FORTRAN or PASCAL. To 
fill this need, declarative languages have been developed 
specifically for KBS applications. Currently, the two most 
widely used expert system programming languages are "“LISt 
Processing (LISP) and "“PROgramming in LOGic” (PROLOG). Both 
of these languages are effective building tools, but there 
are significant differences. LISP is useful because it 
manages data structures easily, and its programs can 
manipulate other programs, but it has no tools for logic 
programming. PROLOG is useful because it is essentially a 
compiler into which the user merely inputs the encoded 
knowledge base. The usual programming skills are not 
required. However, this ease of implementation is also а 
disadvantage, because it allows no efficient mechanism for 
closely controlling a procedural activity. The KBS language 
of the future will undoubtedly attempt to assimilate the best 


of both languages. 
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За: Knowledge Acquisition 


This is the greatest single challenge to the 
realization of the SM. The SM must have access to properly 
encoded domain knowledge, and lots of it. Although there is 
no shortage of aircraft systems expertise, getting this 
knowledge into a form that is useful to an expert system is 
an extremely tedious, and not always successful, process. 
Researchers have found that often times a domain expert (eg. 
the pilot) may not be able to explain his/her reasoning ina 
particular situation, though he/she is unerring in his/her 
assessment. 

4. Data Acquisition 

Although domain knowledge is essential to the 
operation of the SM, it will be of no value to the pilot if 
it can not be applied to his current situation. The SM must 
also be able to sense the internal health and status of the 
aircraft systems, as well as the external environment. This 
can be accomplished through distributed resource sharing with 
the dedicated microprocessors in the various aircraft 
functional subsystems, or by direct sensor relay. 

a. Resource Sharing 

Most of the major systems in current commercial 
and military aircraft models have imbedded mircroprocessors 
that automate the operation of those systems for the pilot. 
The system status reports they receive from the components 


they control could theoretically be passed to the SM. The 
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physical interconnection scheme used to accomplish this 
transfer must account for the differences in architecture 
between the processors involved. 
b. Dedicated Sensors 

If resource sharing is not feasible or system 
status reports are otherwise not available for critical 
components, then sensors must be fitted to the components; 
sensors that report directly to the SM. Precise functional 
information may be required (i.e. failure cause, mode, and 
degree), which then requires a corresponding sophistication 


in sensor design. 


С. COMPATIBILITY CONSIDERATIONS 

Assuming that it is possible to build a competent 
Survivability Manager KBS, one of the last major design tasks 
is to build it within the physical constraints of the parent 
aircraft. This requirement is at odds with the systems 
requirements. To limit the acceptable volume and weight 
allocation necessarily limits the maximum processing and 
memory storage capabilities. Of course, this is a problem 
for avionics in general. 

1. Integration with Projected Aircraft 

In keeping with the philosophy that survivability 

should be designed in and not just added on, it is obvious 
that the Survivability Manager will be most successful when 


it сап be incorporated into the earliest stages otf the parent 
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aircraft’s development. This is especially important for the 
SM, because it must be able to sense the functional health of 
the aircraft in depth. 

2. Retrofit with Existing: Aircraft 

Existing aircraft may not be operational by the time 

a working SM of practical importance is finally available. 
Should major breakthroughs in research (funding) occur, it 
will be extremely costly to effectively integrate the SM with 
these aircraft. It may even be too late for next generation 
aircraft, such as the ATA and the ATF. This because the 
intimate interfacing that must be considered in the design 


now can not rely on AI practical success later on. 
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VII. SUMMARY AND CONCLUSIONS 


A. SUMMARY 

In spite of intensive safety engineering and well 
developed flight procedures, civil aircraft survivability is 
challenged by the hazards associated with the modern 
operational flight environment. For the military aircraft 
that is operating in a man-made hostile environment, these 
hazards are compounded by hazards which are specifically 
intended for the destruction of aircraft. Regardless of the 
type of mission to be flown, the primary responsibility of 
the pilot is the safe, effective employment of the aircraft, 
and his/her performance is seriously degraded by these 
hazards. U. S. National Transportation Safety Board 
statistics reveal a general decline in civil aircraft 
accidents in the last decade, but there are still too many, 
and a large portion of these accidents can be at least 
Partially attributable to pilot error. Statistics for 
military flight mishaps show a similar pattern. Pilot error 
is often the result of task overload conditions. This 
conclusion is based on the fact that most accidents occur 
during critical flight phases when the pilot task load is 
greatest. 

Conventional task load reduction practices seek to 


enhance aircraft survivability by automating the execution of 
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pilot-selected aircraft system functions. Although this 
automation allows the pilot to manage several of the aircraft 
systems simultaneously, it can lead to a ‘data rich - 
information poor’ cockpit if the number or complexity of the 
systems involved is great. This data rich condition will in 
fact decrease the aircraft’s survivability if the pilot 
commits a procedural error while sorting through 
nonprioritized and/or extraneous data. It is clear that 
relegation of task management, as well as simplification of 
task execution, is required to effectively reduce pilot 
workload during critical flight phases. If larger crews or 
improved pilot capabilities are not feasible approaches for 
enhanced task management , then the avionics engineer must 
build ’intelligent’ sytems that can manage themselves. These 
automated Survivability Managers (SM) would monitor aircraft 
health and the external environment, and react to recognized 
hazards in ways that complement or even supplement pilot 
capabilities. 

Knowledge based systems (KBS), which are considered 
Studies within the field of artificial intelligence (AI), are 
ideally suited to provide the pilot with an automated 
Survivability Manager. The KBS relys on sophisticated 
problem solving techniques and vast stores of domain-specific 
knowledge to solve problems that conventional language 
programs can not solve. The conventional programming 


languages (e.g. FORTRAN) rely on numeric methods to solve 
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problems and can not efficiently handle problems involving 
non-numeric relationships. In contrast, the declarative 
languages used in knowledge based systems can employ 
human-like reasoning techniques and strategies. 
Conceptually, the KBS consists of a knowledge base and an 
inference engine. The knowledge base contains the domain- 
specific knowledge (provided by domain experts) required to 
solve domain-specific problems. The inference engine 
performs the actual reasoning process by employing some 
suitable combination of reasoning techniques and strategies. 
The application of KBS principles to survivability management 
is illustrated in Chapter IV, using a hypothetical engine 
fuel supply system as a working example. 

Once the KBS capabilities are understood, the 
applications to survivability enhancement are readily 
apparent. In a military aircraft, the Survivability Manager 
could detect, analyze, classify, and respond to threat 
emitters and propagators through the integrated management of 
the available susceptibility reduction features and 
equipment. In a civil aircraft, susceptibility reduction 
would be accomplished by pooling the external and internal 
sensor resources to prevent damage due to environmental 
extremes, material overstresses, and human errors. The SM 
can assist with vulnerability reduction in both civil and 
military aircraft through control of active damage 


Suppression and/or component redundancy features. Тһе 
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development of the SM can draw upon the efforts of the 
Pilot’s Associate, the Self-Repairing Flight Control System, 
the Fully Automatic Digital Engine Conrol system, and several 
other related research projects. 

The SM can be designed to manage a number of distinct 
aircraft survivability enhancement operations, but in all 
cases this management must be performed in five basic phases: 
Monitor aircraft health, and the external environment. 
Predict hazards. 

Detect and isolate failures. 


Determine the optimal response. 
Advise the pilot, or act autonomously. 


SON NO 
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Aside from these functional requirements, there are systems 
requirements that must be considered by the SM designer. 
Processing speed must be fast enough to allow the SM to react 
immediately to real or perceived hazards. Memory storage 
space must be sufficient to include the enormous amount of 
knowledge needed. The programming language should allow for 
ease of knowledge infusion, yet be flexible enough to apply a 
number of reasoning techniques and strategies. Systems 
status data must be made accessible via resource sharing and 
dedicated sensors. Finally, the system must fit gracefully 
into the parent aircraft, preferably during the early 


aircraft design stages. 
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В. CONCLUSIONS 
1. Feasibility 
Тһе knowledge based system is an emerging technology. 
The KBS has already been proven in small scale applications, 
and has even begun to enjoy significant commercial 
development. Although a system which is large enough to 


accomodate a Survivability Manager with modest capabilities 
(on the order of 10,000 rules) has yet to be built, the 
potential certainly exists. Of course, the first such system 
may not fit into a C-5’s cargo bay, let alone an F/A-18’s 
avionics suite. But even the single seat fighter pilot will 
one day realize the benefits of an intelligent cockpit. Тһе 
capability for relegating lower level management processes is 
sorely needed now, especially during the task-load-saturated 
critical flight phases. Through AI, the Survivability 
Manager will meet this challenge, but only after intensive 
research and development efforts. 
2. Recommendations for Further Research 

There are a number of studies which must be conducted 
to further investigate the feasability of building a 
Survivability Manager. Although these studies will rely on 
basic AI research, they should be centered on the specific 
needs of the intelligent cockpit. The first study might 
consist of defining a modest 200 rule KBS for an isolated 
System in an actual aircraft, such as the F/A-18 power plant. 


The aircraft’s critical component analysis along with the 
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flight systems manual will provide an excellent source of 
basic knowledge for this purpose. Next, the method of 
representing the knowledge in the knowledge base must be 
considered. This entails selection of the hardware and 
software to host the expert system. This selection will be 
limited by available assets. Once the knowledge has been 
properly encoded, a harness must be constructed to simulate 
the various aircraft health status inputs required by the SM 
prototype. Finally, the system should be tested using 
realistic performance and failure data from the actual 
aircraft. The SM prototype can then be tested under various 
Simulated adverse conditions to assess and refine the 
correctness and timeliness of its responses. These studies 
will not be conclusive, but they should be indicative of the 


promise of AI for enhanced aircraft survivability. 
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APPENDIX A (GLOSSARY) 


ACTIVE DAMAGE SUPPRESSION- An aircraft vulnerability 
reduction technique, wherein damage is sensed and 
subsequently minimized or contained through activation of one 
or more devices. 


AIRCRAFT COMBAT SURVIVABILITY- The ability of an aircraft to 
avoid or withstand (damage caused by) a man-made hostile 
environment. 


AIRCRAFT COMBAT SUSCEPTIBILITY- The inability of an aircraft 
to avoid (damage caused by) a man-made hostile environment. 


AIRCRAFT COMBAT VULNERABILITY- The inability of an aircraft 
to withstand (damage caused by) a man-made hostile 
environment. 


AIRCRAFT HEALTH- The functional condition of the aircraft, 
measured by its operational performance capabilities, and 
dependent on the functional condition of its systems and 
system components. 


AIRCRAFT SURVIVABILITY- The ability of an aircraft to avoid 
or withstand (flight performance degradation caused by) a 
hazardous situation. 


РКСОКАРЕТ SUSCEPTIBILITY- The inability of an aircraft to 
avoid (flight performance degradation caused by) a hazardous 
Situation. 


AIRCRAFT VULNERABILITY- The inability of an aircraft to 
withstand (flight performance degradation caused by) a 
hazardous situation. 


ARTIFICIAL INTELLIGENCE- The condition where machines mimic 
human rational thought processes. 


BACKWARD INFERENCING- A reasoning strategy wherein a solution 
to a problem is assumed and a search for supporting evidence 
15 then pursued sequentially backwards to the known facts. 


COMPONENT REDUNDANCY- A vulnerability reduction technique 
wherein a function can be performed by more than one 
component or groups of components. 


CRITICAL COMPONENT- A component which makes a necessary 
contribution to the performance of a flight essential 
function. The loss of a redundant critical component will 
not neccessarily result ina loss of a flight essential 
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tunction, whereas the loss of a non-redundant critical 
component will always result in the loss of a flight 
essential function. 


CRITICAL FLIGHT PHASE- A portion of the flight in which Тһе 
aircraft is especially susceptible to hazardous situations. 


DOMAIN EXPERT- A person that is recognized as an authority 
in the specific subject of interest and from whom knowledge 
is acquired for a knowledge based system. 


DOMAIN KNOWLEDGE- The knowledge that an expert in the 
subject of interest provides to the KBS. 


EXPERT SYSTEM- See KNOWLEDGE BASED SYSTEM 


FAILURE CAUSE- A primary event which significantly 
contributed to the failure mode of a component. 


FAILURE DEGREE- The extent or completeness to which a 
component’s performance has been functionally degraded. 


FAILURE MODE- The nature of a component failure. For 
example, a control rod may be either severed or jammed. 


FAILURE MODES AND EFFECTS ANALYSIS (FMEA)- A procedure that 
(1) identifies and documents all possible failure modes of a 
component or subsystem, and (2) determines the effect of each 
failure mode upon the capability of the system or subsystem 
to perform its essential functions. 


FLIGHT ESSENTIAL FUNCTION- A system or subsystem function 
required to enable the aircraft to sustain controlled flight. 


FORWARD INFERENCING- A reasoning strategy wherein a search 
for a problem solution is conducted sequentially from the 
known facts. 


INFERENCE ENGINE- The construct within the KBS that performs 
the reasoning process. 


INSTRUMENT FLIGHT RULES (IFR)- FAA supervised flight 
procedures wherein the aircraft route, altitude, and airspeed 
is dictated by ground controllers. 


KNOWLEDGE BASED SYSTEM (KBS)- A computer system that uses 
sophisticated non-numeric problem solving techniques and vast 
stores ot knowledge to solve problems beyond the reach of 
conventionally programmed computers. 
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KNOWLEDGE BASE- The construct within the KBS that contains 
the encoded domain knowledge. 


MAN-MADE HOSTILE ENVIRONMENT- Flight conditions that are 
hazardous to flight safety due to the intentional employment 
of destructive man-made devices. 


SURVIVABILITY MANAGER- A knowledge based system designed to 
assist the pilot in the management of the aircraft’s 
survivability features and equipment. 


VISUAL FLIGHT RULES (VFR)- Flight procedures wherein the 
pilot is solely responsible for the safe conduct of the 
flight and is not under direct ground supervision. 


в 
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